One container, zero dependencies: what's deliberately absent from our image
The most secure dependency is the one that isn't there. Crowkis ships as a single stripped binary with the model baked in, no Python, no package manager, nothing to poison at runtime.
Every dependency in your runtime is a door someone else can walk through. The supply-chain attacks that make headlines don't break your code, they slip something into a package your code trusts. So when we packaged Crowkis, we asked a different question than 'what should we add?' We asked 'what can we leave out?'
One file to review. No supply chain to compromise.
For a security team, this changes the review from auditing a dependency tree of thousands of packages to reviewing one artifact. For an air-gapped or regulated deployment, it means the thing runs with no network at all, the model is already inside. The absence is the feature.
The bottom line
You can't be compromised through a dependency you don't ship. One binary, one model, no runtime supply chain, the smallest attack surface we could build.